fix: Improve cross-origin cookie handling #22320
Conversation
chrisbreiding
requested review from
mjhenkes,
mschile,
AtofStryker and
emilyrohrbough
|
Thanks for taking the time to open a PR!
|
| @@ -4,6 +4,7 @@ import { Cookies } from './cookies' | |||
| import { Screenshot } from './screenshot' | |||
| import type { BrowserPreRequest } from '@packages/proxy' | |||
| import type { AutomationMiddleware, OnRequestEvent } from '@packages/types' | |||
| import { removeAllCookies, removeCookie } from '../cookie-jar' | |||
There was a problem hiding this comment.
without lookin into this deeply, why not merge the cookie jar and the cookies class? the names make it sound like one or the other could leverage each other and/or they could be merged?
Seems like the Cookies class might be able to.
There was a problem hiding this comment.
They serve different purposes.
lib/cookie-jar is a stateful wrapper around tough-cookie's cookie implementation and stores cookies in memory for the sake of cross-origin testing.
lib/automation/cookies is a stateless wrapper around automating cookies. It's more about taking actions with cookies than storing them.
I don't really see anything that can be shared between them and I think it makes sense to keep their concerns separate.
There was a problem hiding this comment.
hmm okay. Since the names are so similar, thoughts on updating both files to add a quick blur that describes their intent?
There was a problem hiding this comment.
Good idea. Added in ab6e987 (#22320)
| } | ||
|
|
||
| removeAllCookies () { | ||
| this._cookieJar.removeAllCookiesSync() |
There was a problem hiding this comment.
Does this need to be sync?
There was a problem hiding this comment.
It doesn't need to, but there's no reason for it not to be sync. The cookie store is kept in memory, so all this ends up doing is basically cookieJar.cookies = {}. There's no sync file system access to worry about or anything.
|
Test summary
Run details
View run in Cypress Dashboard ➡️ Flakiness
This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard |
||||||||||||||||||||||||||||||||||||||||||||||
| async capturePreviousCookies () { | ||
| // this plays a part in adding cross-origin cookies to the browser via | ||
| // automation. if the request doesn't need cross-origin handling, this | ||
| // is a nooop |
There was a problem hiding this comment.
| // is a nooop | |
| // is a noop |
There was a problem hiding this comment.
I just wanted to emphasize that this does nooothing in that situation 😅
There was a problem hiding this comment.
Addressed in 52b6874 (#22320).
| async getAddedCookies () { | ||
| // this plays a part in adding cross-origin cookies to the browser via | ||
| // automation. if the request doesn't need cross-origin handling, this | ||
| // is a nooop |
There was a problem hiding this comment.
| // is a nooop | |
| // is a noop |
There was a problem hiding this comment.
Addressed in 52b6874 (#22320).
packages/server/lib/socket-base.ts
Outdated
| @@ -474,6 +476,8 @@ export class SocketBase { | |||
| return this.localBus.emit('cross:origin:release:html') | |||
| case 'cross:origin:finished': | |||
| return this.localBus.emit('cross:origin:finished', args[0]) | |||
| case 'url:changed': | |||
There was a problem hiding this comment.
Is this related to cookies or something that was missed previously?
There was a problem hiding this comment.
No, this is vestigial from a previous implementation. I just missed removing it. Addressed in 3c558b5 (#22320).
| @@ -393,99 +393,101 @@ const MaybePreventCaching: ResponseMiddleware = function () { | |||
| this.next() | |||
| } | |||
|
|
|||
| const determineIfNeedsCrossOriginHandling = (ctx: HttpMiddlewareThis<ResponseMiddlewareProps>) => { | |||
| const previousAUTRequestUrl = ctx.getPreviousAUTRequestUrl() | |||
| const checkNeedsCrossOriginHandling = (ctx: HttpMiddlewareThis<ResponseMiddlewareProps>) => { | |||
There was a problem hiding this comment.
| const checkNeedsCrossOriginHandling = (ctx: HttpMiddlewareThis<ResponseMiddlewareProps>) => { | |
| const checkIfNeedsCrossOriginHandling = (ctx: HttpMiddlewareThis<ResponseMiddlewareProps>) => { |
There was a problem hiding this comment.
Addressed in 95124a3 (#22320)
| @@ -300,6 +300,11 @@ export class CdpAutomation { | |||
| return this.getCookie(data) | |||
| }) | |||
|
|
|||
| case 'add:cookies': | |||
| setCookie = data.map((cookie) => normalizeSetCookieProps(cookie)) as Protocol.Network.SetCookieRequest[] | |||
There was a problem hiding this comment.
Wonder if there is additional benefit to specifying the setCookie type to show it might be a single SetCookieRequest or an array of them on line 278, and then the consuming code just casts it, though I don't think this has a lot of benefit from a typings perspective.
let setCookie: Protocol.Network.SetCookieRequest | Protocol.Network.SetCookieRequest[]
…esser/CLOUD-577-spec-list-display-latest-runs-batching * muaz/CLOUD-577-spec-list-display-latest-runs: fix: Update "Request Access" button state after requesting access (ACI) (#22499) feat: Support "Queued" latest run status (#22497) fix: remove ctx.cloud.reset in tests, handle infinite loop in stale results (#22483) chore: add reporter webpack to gulp watch script (#22386) fix: Increase timeout for npm-webpack-dev-server tests (#22489) fix: Time out unmatched prerequests in proxy to avoid leaking memory (#22462) fix: Sort results in findCrossOriginLogs test helper to deterministic (#22481) fix: memory leak caused by storing base64 encoded files recieved by CDP `Network.requestWillBeSent` (#22460) fix: Improve cross-origin cookie handling (#22320) feat: Add button to clear value from search fields (#22202) chore: Add test to verify settings panels are collapsed by default (#22382) fix: process_profiler follow up work for v10 (#22363) chore: Update Chrome (stable) to 103.0.5060.53 (#22441) refactor: use design system windicss config (#21503) chore: update readme logo (#22433) chore: Update Chrome (beta) to 103.0.5060.53 (#22351) chore: updating version (#22432) Trigger Build
User facing changelog
Additional details
Previously, we worked around handling cross-origin cookie limitations by forcing all cookies to be
SameSite=None. This introduces a new approach where all cookies are captured in a server-side cookie jar and, where needed, cookies are attached to cross-origin requests to simulate what the browser would do if the AUT were in the top frame.PR Tasks
cypress-documentation?type definitions?